Who’s reading your email?

Teschler on Topic

Leland Teschler • Executive Editor
[email protected]
On Twitter @ DW_LeeTeschler

There was a brouhaha recently on Twitter and Reddit regarding the Dutch telecom company KPN. Some of KPN’s central network equipment was made by the Chinese telecom equipment maker Huawei. An investigation found that Huawei had uncontrolled and unauthorized access to the core of the KPN mobile network, giving Huawei access to sensitive information including conversations and telephone numbers of Dutch political leaders and intelligence service officers.

The disclosures in the Netherlands are sobering. Jacob Helberg, who formerly led Google’s internal efforts to combat disinformation and foreign interference, sums up the concerns this way: “Political control is no longer determined merely by boots on the ground, it’s determined by wires in the ground. Imagine what might happen if a foreign adversary government knew the entire medical and personal history of every politician, every judge, and every journalist including all their sexual escapades, all their mental weaknesses, and all their corrupt dealings.”

But entities with nefarious intentions needn’t bother with building backdoors into telecomm equipment. They can program ordinary internet hardware to accomplish the same goals. This is the lesson learned from a stunt pulled by China Telecom (CT) in 2016 and 2017, as described by researchers from the U.S. Naval War College and Blavatnik Interdisciplinary Cyber Research Center.

The caper involved what’s called the Border Gateway Protocol (BGP), basically a listing of the next—and closest—network system routers for a given internet packet. The BGP lets routing equipment send messages via the shortest possible route. Thus to hijack network traffic, bad actors can simply install a bogus BGP list that routes traffic through networks they own.

Researchers say that in 2010 CT used a BGP hijack to route 15% of all internet traffic for 18 minutes in what is believed to be both a large-scale experiment and a demonstration of Chinese capabilities in controlling internet flow.

BGP hijacking was facilitated by the fact that CT once had eight PoPs (point of presence) in the U.S. and two in Canada. A PoP consists of high-speed telecom gear that lets ISPs and their users connect to the internet. Researchers say CT used its PoPs to hijack domestic U.S. and cross-U.S. traffic and redirect it for about six months in 2016. In one case, CT hijacked routes from Canada to Korean government sites and routed traffic through China. Though the shortest and normal route goes from Canada to the U.S. to Korea, the hijacked route started at the CT PoP in Toronto, then was forwarded inside the CT network to a CT PoP on the U.S. West Coast, from there to China, and finally to Korea. The same pattern repeated later for shorter durations.

Researchers also report that traffic from several U.S. locations to a bank headquarters in Italy was hijacked in 2016. The normal route would have been from Houston to the Washington D.C. area to Italy. Instead, it went from Houston to a CT PoP in Los Angeles and then to China. But the attackers seemed to have trouble routing traffic inside the Chinese network. Ultimately, the Chinese seemed to give up and the traffic never arrived.

And CT didn’t just divert domestic U.S. traffic. Researchers found that in 2017 traffic from Sweden and Norway to the Japanese network of a large American news organization was hijacked to China for about six weeks. The hijack started with a CT PoP in Maryland and was forwarded to a CT PoP in California, then went to China and Hong Kong before reaching Japan. “By no stretch could this period of disjointed routing have been accidental,” conclude the researchers.

Perhaps no surprise, the U.S. kicked Chinese PoPs out of the country last year. Meanwhile, these revelations are vindication of sorts for conspiracy theorists who think the government is trying to read their email: This might be true, just not for the government they had in mind. DW